What is Service Control Policies?
=> This is another type of policy that we can apply in AWS. It allow you to control what aws services and actions are accessible for aws accounts within your organization.
=> SCPs operate on a "deny by default" principle, where you explicitly define permissions to deny or allow. They act as an additional layer of control on top of IAM policies.
=> In simple terms, SCPs help you say who gets to use what.
Service Control Policies: |
---|
Service Control Policies are associated with a service called AWS organization. |
AWS organization: It is a service that enable you to combine multiple AWS accounts into an organization that you create and centrally manage. It simplifies billing and cost allocation, applies policies across your accounts, and allow you to create a hierarchical structure with organizational units(OUs). |
Root: Root is the top-level entity in your AWS Organizations hierarchy. The purpose of root is where you initially set up your organization-wide controls, such as SCPs that apply to all accounts. |
AWS Organizations supports a hierarchical structure with the root at the top and OUs beneath it. |
Lets understand this with an analogy: |
Imagine AWS as a large corporate building. Each floor represents a different department or team (organizational unit or OUs). The CEO's office on the top floor(Root) makes high-level decisions for the entire company. Each department floor has specific rules(Service control policies or SCP's) at its entrance stating what that department can or cannot access. |
So, AWS Organizations is like a well organized corporate building where the CEO's office(Root) sets the main rules, and each department(OU) has its own rules posted at the entrance, ensuring a structured and controlled environment. |
Top comments (0)